$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:racecondition-file-write
Now that the app is running let's go hacking!
Reconnaissance
Step1
We can download a file from the server by doing a GET request to the server.
Let's try:
Once we download the file we can see whatever we add to the URL is being written in a file called shared-file.
Step 2
As the application suggests, there is a Race condition vulnerability in this app, let's try to find it.
If we look at the code we see that the application gets the query parameter, writes to a file called shared-file.txt, then opens the file and send it back as a response.
@app.route("/<string:value>", methods=['GET'])defhome(value):# Create a Python file object using open() and the with statementwithopen("shared-file.txt", 'w')as f: f.write(value) f.closed f.closed file =open("shared-file.txt", "r") response =make_response(send_file("shared-file.txt", attachment_filename="shared-file.txt")) response.headers.set("Content-Type", "text/html; charset=utf-8") response.headers.set("Content-Disposition", "attachment; filename=shared-file.txt")return response
Step 3
How can we exploit this?
We have a very small window between the writing of the file:
